Preparing BHOLD for attestation
Applies To: Forefront Identity Manager
Before you create your first attestation campaign, you must configure BHOLD attributes to prepare BHOLD for attestation. You must also configure the BHOLD Attestation module to send notifications to campaign stewards and assign appropriate permissions to campaign owners. In addition, you can modify the email templates that the BHOLD Attestation module uses to send notifications to campaign participants and specify the criteria that will be used to determine which users will be able to act as campaign stewards. You can also specify that only roles that are directly linked to users are attested.
The following are the basic tasks for preparing BHOLD for attestation:
Configuring BHOLD attributes
Configuring notification email templates
Configuring steward selection
Configuring role scope
Configuring BHOLD attributes
The BHOLD Attestation module sends email notifications to campaign owners and stewards to inform them of their responsibility and progress in an attestation campaign. To make this possible, you must configure attributes in BHOLD that specify the email (SMTP) server and email server settings. You can also change the application that BHOLD will use to validate users who attempt to access the BHOLD Attestation portal. You must also assign BHOLD permissions to campaign owners and stewards to enable them to carry out their respective responsibilities in attestation campaigns.
The following are the tasks required to configure BHOLD attributes for attestation:
Configuring email settings
Configuring attestation campaign owner permissions
Configuring attestation campaign steward permissions
Configuring email settings
Throughout an attestation campaign, the BHOLD Attestation module sends email messages to the campaign owner and stewards. You must configure BHOLD with the email server and other parameters to enable this feature.
To configure BHOLD email attributes for attestation
In the BHOLD Core portal, in the left pane, click Home, andthen click Values.
On the BHOLD attributes/BholdAttributes page, click Modify.
In SMTP Server, type the server name or IP address of the SMTP server that will be used to send notification messages, then in {usrbholdSMTPPort}, type the TCP port that is used to communicate with the SMTP server.
In User Name SMTP Server and Password SMTP Server, type the user name and password of an account that is authorized to send messages through the SMTP server.
In Mail Address (from) Attestation, type the email address of the user account that is authorized to send messages through the SMTP server.
To optionally send copies of the notification messages to an email address, in Mail Address (bcc) Attestation, type the address to receive blind copies of notification messages.
Click OK.
Configuring attestation campaign owner permissions
By default, the root account has the permissions necessary to act as a campaign owner. To enable other users to act as campaign owners, you must assign them to a role to which you have linked the BHOLD Attestation Campaign Owner permission.
To enable additional campaign owners
In the BHOLD portal, in the left pane, click Roles.
On the Roles page, click Add.
On the Add role page, in Description, type a name for the role (for example,
Attestation Campaign Owners), and then click OK.On the Role/<role> page, expand Permissions, and then click Modify.
On the Role—permissions/<role> page, in Application, click the Search button, next to BHOLD Attestation Campaign Owner, click Add, next to BHOLD Attestation webservice Allowed, click Add, and then click Done.
On the Role/<role> page, expand Users, and then click Modify.
On the Role–users/<role> page, in Search string (Users), type the Description (name) of a user that you want to designate as an attestation campaign owner, and then click the Search button.
Tip
To display all users, leave Search string (Users) empty when you click the Search button.
Next to the user, click Add, and then click Done.
Note
Instead of assigning a campaign owner directly to the role, you can use attribute-based authorization to link users to the campaign-owners role. For more information, see Managing attribute-based authorization policy for a role in Microsoft BHOLD Core Operations Guide.
Configuring attestation campaign steward permissions
To ensure that only appropriately authorized users are allowed to act as stewards in an attestation campaign, you must assign specific permissions to those users.
To enable attestation campaign stewards
In the BHOLD portal, in the left pane, click Roles.
On the Roles page, click Add.
On the Add role page, in Description, type a name for the role (for example,
Attestation Campaign Stewards), and then click OK.On the Role/<role> page, expand Permissions, and then click Modify.
On the Role—permissions/<role> page, in Application, click the Search button, next to BHOLD Attestation Campaign Steward, click Add, next to BHOLD Attestation webservice Allowed, click Add, and then click Done.
On the Role/<role> page, expand Users, and then click Modify.
On the Role–users/<role> page, in Search string (Users), type the Description (name) of a user that you want to designate as an attestation campaign steward, and then click the Search button.
Tip
To display all users, leave Search string (Users) empty when you click the Search button.
Next to the user, click Add, and then click Done.
Note
Instead of assigning a steward directly to the role, you can use attribute-based authorization to link users to the stewards role. For more information, see Managing attribute-based authorization policy for a role in Microsoft BHOLD Core Operations Guide.
Configuring notification email templates
The BHOLD Attestation module provides seven templates that it uses to send notification email messages to attestation campaign owners and stewards at various stages of a campaign instance:
Before instance start—Sent to the campaign owner seven days prior to the instance start date
Instance start—Sent to all stewards on the instance start date
Reminder—Sent to all stewards depending on the reminder frequency set when the attestation campaign was defined; for example, if the reminder frequency is set to weekly, the first reminder message is sent seven days after the instance start date, the second reminder is sent 14 days after the instance date, and so on
New entries for steward—Sent to a steward the day after the steward has been assigned a new user to attest
Instance due steward—Sent on the instance due date to all stewards with unattested users; the instance due date is one day before the date specified by the start date and duration
Instance due campaign owner—Sent to the campaign owner on the day following the instance due date, that is, the dates specified by the start date and duration
Revoked steward on campaign—Sent to the campaign owner when a steward has lost the rights required to participate in the attestation campaign
You can modify these templates to meet your organization’s requirements. In addition to changing the font used in the subject and body of the messages, you can change the contents of the subject and body. The templates provide placeholders that are replaced with appropriate content by the BHOLD Attestation module when it sends the notification messages. The following are the supported placeholders that you can use when you modify a template:
| Placeholder | Description |
|---|---|
| <Campaign> | The name of the attestation campaign |
| <CampaignDescription> | The description of the attestation campaign |
| <CampaignOwner> | The name of the attestation campaign owner |
| <CampaignRemark> | The remarks provided when the campaign was defined |
| <Instance> | The description of the attestation campaign instance, consisting of the campaign name and instance start date |
| <InstanceDueDate> | The date on which all stewards are expected to finish, one day before the date specified by the start date and duration |
| <InstanceEndDate> | The date on which the attestation campaign instance is set to finish, or the start date of the next instance of a recurring campaign |
| <InstanceStartDate> | The date on which the attestation campaign instance is set to begin |
| <InstanceStatus> | A description of the current status of the attestation campaign instance |
| <LinkToDashboard> | The URL of the campaign owner’s dashboard |
| <LinkToPortal> | The URL of the campaign steward’s dashboard |
| <NrOfEntriesAttested> | The total number of entries that have been attested by the steward |
| <NrOfEntriesToAttest> | The total number of entries to be attested by the steward |
| <Steward> | The name of the steward receiving the notification |
To change a notification template
In the BHOLD Attestation Campaign portal, in the left pane, click Notification.
On the Notification page, in the Select list, click the name of the template you want to change.
To change the font used for the subject or body, in the list under Subject or Body, click the name of the font you want to use.
To change the contents of the subject or body, edit the contents under the font list.
Click OK.
Configuring steward selection
The BHOLD Attestation module provides four methods for pairing stewards with the users for which they are responsible:
Model based—Stewards are automatically paired with users that belong to the organizational units (orgunits) for which the stewards are assigned a steward role type
Application based—Stewards are designated as stewards for the application and are able to attest all users of the application
File upload based—Stewards are paired with users in a file that is uploaded when the campaign is defined
User attribute based—Stewards are paired with users by being specified in a selected user attribute
The following sections explain how to configure each of these methods:
Configuring model-based steward selection
Configuring application-based steward selection
Configuring file upload–based steward selection
Configuring user attribute–based steward selection
Configuring model-based steward selection
Model-based steward selection allows you to define stewards for whole organizational units (orgunits) rather than specifying them on a per-user basis, as is the case for steward selection that is based on file uploads or user attributes.
The following are the steps required to configure model-based steward selection for an orgunit:
Create a steward role for the orgunit
Link the role to the orgunit as a proposed role
Activate the proposed role for the steward
A steward role is simply a role that has the Role Type attribute set to Steward. The role is linked to an orgunit as a proposed role so that the role can be effective only for selected members of the orgunit who will act as stewards for the attestation campaign of the orgunit.
To create a steward role
In the BHOLD Core portal, in the left pane, click Roles.
On the Roles page, click Add.
On the Add role page, in Description, type the name of the role you are creating, in Role type, type
Steward, and then click OK.
To link a role to an orgunit as a proposed role
In the BHOLD Core portal, in the left pane, click Organizational units.
On the Organizational units page, click the organizational unit (orgunit) you want to link to the steward role.
On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.
On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the name of the steward role, click the Search button, and then click Add next to the steward role.
In the Relation type list, click Proposed, click Add, and then click Done.
To activate a proposed role for a steward
In the BHOLD Core portal, in the left pane, click Users.
Click the user that you want to activate a proposed steward role for.
On the User/<user> page, expand Inherited roles, and then click Modify.
On the User–roles/<user> page, expand Inherited roles, and then next to the proposed steward role, click Activate.
On the User–assign temporary roles/<user> page, click Add, and then click Done.
Configuring application-based steward selection
To enable application-based steward selection, any application that is to be attested must have at least one steward specified as an attribute of the application. Applications stewards do not need to be linked to a steward role.
To specify a steward for an application
In the BHOLD Core portal, in the left pane, click Applications.
On the Applications page, click the application you want to specify a steward for.
On the Application/<application> page, click Modify.
On the Edit application attributes/<application> page, in the first available box labeled Steward1 through Steward5, type the Description (name) of the application steward, and then click OK.
Tip
You can designate more than five stewards for an application by adding to the BHOLD application object attributes that follow the same naming convention. For more information about adding attributes to BHOLD objects, see Managing BHOLD objects and attributes in Microsoft BHOLD Core Operations Guide.
Configuring file upload–based steward selection
File upload–based steward selection requires you to create a steward file that lists each user being attested and the steward responsible for attesting that user. The file must be a two-column, comma-delimited (.csv) file. The first line of the file must consist of the following:
Stewards,Users
Each subsequent line in the file must be in the following format:
<steward> , <user>
where <steward> is the Description (name) of the steward responsible for attesting the user and <user> is the Description of the user being attested.
Configuring user attribute–based steward selection
User attribute-based selection relies on one or more user attributes that indicate a “reports to” relationship or that otherwise specify the steward for each user. Different attributes can be used in each campaign, allowing you to use one set of stewards for attesting application users and another set of stewards for attesting users in organizational units (orgunits), for example.
The default user object in BHOLD Core does not contain attributes that are suitable for specifying stewards for each user. Before you can define an attestation campaign that uses attribute-based steward selection, you must add one or more attributes to the user object in BHOLD Core and then populate those attributes with the appropriate users. Typically, this is done when the BHOLD role model is first created, such as when the BHOLD Model Generator is used to create the role model, or through the process of synchronizing identity data with Forefront Identity Manager.
Note
You can use a multivalue attribute (with values separated by semicolons) to select more than one steward for a user. If more than one steward is specified, any of the specified stewards can attest the user’s access rights.
When the required user attributes are in place, you use the BHOLD Attestation Campaign portal to specify which user attributes can be used to select stewards for attestation campaigns. When you define an attestation campaign that uses attribute-based steward selection, you can specify which of these attributes are to be used for that particular campaign.
To specify user attributes for steward selection in attestation campaigns
In the BHOLD Attestation Campaign portal, in the left pane, click Settings.
On the Settings page, click the user attributes that are to be used for selecting stewards in attestation campaigns, and then click OK.
Tip
You can use the Ctrl and Shift keys to select more than one attribute.
Configuring role scope
When you define and run attestation campaigns, you can limit the permissions that are evaluated to permissions that are linked to roles that are directly linked to the users being attested. Otherwise, the permissions linked to directly linked and inherited roles are evaluated.
To configure roles scope for all attestation campaigns
In the BHOLD Attestation Campaign portal, in the left pane, click Settings.
On the Settings page, do one of the following, and then click OK:
To allow only the permissions of directly linked roles to be evaluated in all attestation campaigns, select the Use only direct linked roles in Attestation campaigns check box.
To allow the permissions of both inherited and directly linked roles to be evaluated in all attestation campaigns, clear the Use only direct linked roles in Attestation campaigns check box.